BIND Per-Domain Forwarding (For iTunes / Akamai Speed Issues)

The use of public DNS servers, such as Google DNS or OpenDNS, can provide increased security and reliability.  They can also work around the DNS Hijacking employed by many ISPs (often to serve ads) [yes, OpenDNS by default hijacks some DNS queries (for the typo correction), but this can be disabled in their “Advanced Settings” pane].

One potential downside to these services is that CDNs (such as Akamai) often make use of the query origin to determine the best site from which to serve content.  Using the public DNS service can cause slower than expected content delivery since the CDN incorrectly identifies the origin of your traffic.  Apple makes use of Akamai services to distribute iTunes / App Store content, this can easily slow iTunes downloads or the viewing of content via Apple TVs.

(more…)

PostgreSQL 9 bytea_output and CGI::Session

PostgreSQL 9 introduces a new bytea output format, hex. This new format can cause problems for programs expecting the traditional output format.

(more…)

OS X DirectoryService UUID case sensitivity

I recently ran into an issue where some new users with LDAP based accounts did not see any CUPS shared printers.
The solution turned out to be case sensitivity of the apple-generateduid attribute.

(more…)

Checking for DNS Poisoning Vulnerability

Just a quick way to test and see if your DNS servers are vulnerable to the latest DNS Cache Poisoning vulnerability (CVE-2008-1447).

From: https://www.dns-oarc.net/oarc/services/porttest

$ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

Replacing 4.2.2.3 with the IP address of your DNS server(s).

SSL Certificates with DNS Aliases

At work I have several systems that provide SSL encrypted services but respond to multiple host-names. For instance an LDAP server may be named server1.example.com but have DNS aliases of ldap-1.example.com and directory.example.com. If a client system connects to ldap-1.example.com and the server returns an SSL certificate with a common name of server1.example.com ugliness will ensue.

To get around this problem one can install SSL certificates that employ the subjectAltName extension.

(more…)